Have new working practices made us less prepared for mobile threats?

Jonathan Lee, Senior Product Manager at Menlo Security, looks at the threats to security posed by new ways of working, and at how to counter them. 

Mobile security has often been an afterthought for businesses when it comes to their security strategies. But following the shift to remote working over the past year and half, organisations must rethink their approach when it comes to safeguarding their networks and data in a remote work environment.

It’s clear there are concerns about these new ways of working. In a recent survey commissioned by Menlo Security, three-quarters of IT decision makers admit that their organisations are more susceptible to mobile cyber attacks than just a year ago.

Security concerns
The report looked at the security concerns around the use of mobile devices as businesses operate remotely and where employees are increasingly required to use cloud-based applications and collaboration tools. It questioned senior IT professionals about the mobile threat landscape and how they are responding to these challenges during the pandemic, where work is no longer bound by physical offices.

More than half admit that it’s just not possible to be prepared for all of the tactics and strategies used by attackers targeting mobile devices, while a third claim that it’s impossible to keep up with the pace of these attacks. 

Whether a mobile is corporate-owned or a personal device, running iOS or Android, it’s still running a browser on it, and this is when problems arise. Users can still click on links that they shouldnt and visit websites that contain malware or malicious links. In fact, the risk is even greater because of the reduced screen size, which means that users are not necessarily able to perform the same checks and validations they would if they were using a full-size browser on a desktop, or even a laptop. 

For example, if you look at a reduced web address bar on a mobile device, it means that you can’t always see the full URL, so you can’t check if it looks right or not or necessarily see the green padlock. People are also often distracted when using a mobile device, perhaps doing other things, which means they are less vigilant and perhaps less likely to closely examine where emails or texts are coming from.  

Security updates
The other issue is making sure devices are up to date with the latest patches and security updates. We have seen problems arise time and time again when organisations fail to patch corporate systems quickly enough, leaving security vulnerabilities for attackers to exploit. It’s the same for mobile devices, but potentially more risky because it’s often up the user to make sure it’s updated.

According to our survey results, 72 per cent see iOS as more secure than Android (28 per cent), while 68 per cent think Apple App Store is more secure than Google Play (32 per cent). But despite this confidence in the devices themselves, only around half of respondents admit they update their mobile devices ‘immediately’ or the ‘same day’ a new patch is issued.

Even experienced IT professionals can fall victim to mobile attacks. Around three-quarters acknowledge they have experienced phishing attacks, while around half have been affected by malware, and a third from APTs or Advanced Persistent Threats. But despite the worryingly high number of attacks, most mobile users still feel confident in their company’s ability to identify and prevent them.

The path of least resistance
The fact is that attackers are always looking for the path of least resistance and given that the majority of organisations are currently operating with a highly distributed workforce, mobile devices offer them a huge opportunity – with big rewards.

The majority of workers expect employers to take responsibility for securing mobile devices used for work purposes, but more often than not, companies are still relying on traditional methods, such as mobile device management and DLP. This is leaving them at risk of attack.

It’s encouraging to see more organisations using mobile isolation technology, which fetches and executes web content in a secure, remote browser that completely isolates users from web exploits and malicious payloads. The user is not even aware of it, and there’s no impact on performance or interruption in workflow, which is perhaps the most important aspect of any security solution. Any technology that impacts the user experience, especially on a mobile phone, users will quickly push back and resist it. 

So as organisations continue to adapt to new ways of working, they must focus on getting their mobile security strategy right for the business and ensuring they don’t impact the user experience. 

More information can be found in this Mobile Security Risk Report.